New Investments in Internal Audit Can Benefit Compliance by Association

Internal audit is in the midst of a profound transformation that could, ultimately, lead to big changes in how it and compliance work together. For compliance professionals who are close with their friends in internal audit, now is a good time to put a little more love and care into the relationship.

You can see glimpses of that potential future in several surveys that hit the internal audit world this spring. Those surveys come from a variety of sources — the Institute of Internal Auditors as well as some professional services firms — and all reach essentially the same conclusions: audit is maturing.

First, internal audit is searching for new ways to add value to overall enterprise, beyond its historical duties of financial audits or testing controls for Sarbanes-Oxley compliance. Second, internal audit is also racing to add more data analytics capability, so it can be more comprehensive in its job of assessing risk and identifying weak spots in business processes.

Bring those two points together, and you arrive at a third conclusion.

Internal audit, the so-called “Third Line of Defense” against corporate misconduct, will be able to add value by helping other functions in the first and second lines of defense run their business processes in a more effective, risk-aware manner.

while doing its day job of analyzing risk and finding ways to reduce risk to reasonable levels, internal audit could also perform more of a “business process improvement function.”

That is, while doing its day job of analyzing risk and finding ways to reduce risk to reasonable levels, internal audit could also perform more of a “business process improvement function.” For instance, the audit team might create an algorithm to analyze a pile of data and identify risk. After it’s done, it can leave that algorithm with the operating business unit so the operations unit can monitor that risk itself.

For example, your company might have a policy that travel and entertainment expenses below $50 don’t need receipts. The audit team could build an algorithm to find employees with unusually high number of expenses at $49 — just below the threshold where they would need to supply documentation.

Presto! The finance and compliance teams have a new tool to help identify possibly suspicious payments (how many bribes have been smuggled through the T&E account, after all?) when previously you were searching for illicit needs in giant haystacks of data.

Compliance Should Be Tuned in to Internal Audit Enhancements

So how can ethics and compliance officers work constructively with a more powerful and precise internal audit function? And just as important, how can you ensure that internal audit and other operating units don’t engage in risk management or business process improvements without considering the compliance department’s needs?

Twenty years ago, our T&E example above would have required an army of auditors to sift through oceans of paperwork and spreadsheets. We could say the same for due diligence programs, whistleblower hotlines, bonus payments, and much more. The data existed, but not in a format that could be studied. Now the data can be studied.

Second, know what business process improvements you want to see. Operating units typically want processes to become more efficient: faster, simpler, more profitable. Internal audit departments typically want to reduce the risks that either (a) the board tells them to reduce; or (b) they want to reduce, depending on their enterprise risk assessments.

in a world where more improvements are possible, it becomes more important for compliance to know which improvements are the ones worth pursuing — and which aren’t.

I don’t expect internal audit departments will undertake some grand reorganization of business processes without alerting the compliance departments; you do tend to work together, after all. But in a world where more improvements are possible, it becomes more important for compliance to know which improvements are the ones worth pursuing — and which aren’t.

Create Effective Detection Methods that Can Become Deterrents Themselves

Third, think about messages, not just monitoring. Our T&E example above does more than find $49 frauds. It also telegraphs to employees that internal audit can now detect suspicious T&E patterns even without documentation. The greater analytics ability strengthens the company’s control environment — the overall message the company projects to employees and third parties about how seriously it treats potential misconduct.

Or put another way, a greater ability to enforce a policy tells employees that the policy’s objective is taken more seriously. How can the ethics and compliance team leverage that? Which policies and objectives do you want to emphasize? What analytical tools could you use to emphasize them, while internal audit does its usual job of finding and reducing risk?

This transformation of internal audit will be a long time coming. Some internal audit functions already do dazzling things; some are still tiptoeing into this new world with small staffs and tight budgets. (Sound familiar?)

Regardless, this future is going to come. Compliance officers should be prepared to seize the opportunity when it does.